Evasion Techniques for VM-based Black-Box Software Analysis

One of the great challenges in the process of black-box testing is the fact that it's possible for an application to hide malicious behavior after detecting the presence of a hypervisor. In this paper, we demonstrate the main virtualization detection mechanisms in the Linux environment and propose an environment meant to prevent hypervisor detection. The created environment consists of a Linux virtual machine and a Linux container that is created directly in the host machine. After that, an application is executed inside the virtual machine and from within a container whose files were imported into the guest machine through the network. The tools libvirt, KVM and QEMU were used for system virtualization, container technologies (chroot, Docker, LXC, systemd-nspawn) were used to create an isolated environment, the OpenSUSE, Manjaro and Arch Linux distributions were used for virtualization and the 9p protocol was used to create a network bridge between the guest and host systems.